Automated Patch ManagementWSUS/SCCM

Pros and Cons of Patching with SCCM

By December 19, 2017 No Comments

Microsoft’s System Center Configuration Manager (SCCM) is a paid lifecycle management solution from Microsoft that keeps track of a network’s inventory, assists in application installation, and deploys updates and security patches across a network. While SCCM uses Microsoft’s WSUS patching system to check for and install updates, it gives users additional control over when and how patches are applied, and includes many more features which make it an attractive option for large enterprise networks. However, SCCM presents several challenges for networks looking for one solution to patch all devices, operating systems, and third party applications, so it is important to evaluate the pros and cons of patching with SCCM.

Pros of SCCM      

Part of a Full Lifecycle Management System for Windows: SCCM includes a wide range of functions that provide flexibility over how patches are applied, generate system-wide reports, and allow for control over any Windows machine in the network from one central console. SCCM provides a suite of endpoint protection tools and with the correct configuration can be a full lifecycle management system for IT departments with a high percentage of Windows systems.

Integrates Seamlessly with Windows Systems: Being a Microsoft product, SCCM integrates very well with Windows systems and other Microsoft products. In recent years, SCCM has tried to adapt to the trend of employee-provided devices connecting to company networks, and now supports “Bring Your Own Device,” meaning that devices added to a network by individual employees can be controlled via SCCM and flagged if they are not updated.

Control via GUI and Support via Microsoft: SCCM is controlled via a relatively simple GUI, which means it is easier to learn and implement than self-deployed tools such as Chef and Puppet. Because SCCM is an established and paid Microsoft service, it also has good support via community channels and Microsoft itself.

Cons of SCCM

High Costs to Acquire and Run: SCCM is usually sold as part of a larger suite of tools from Microsoft, and is prohibitively expensive for non-enterprise companies. Pricing for SCCM is opaque and can include separate costs for endpoints and servers. SCCM is also an on-premise solution which requires an SQL server to run, resulting in high ongoing operating costs and resource requirements to maintain.  

Built for Windows-Dominated Systems: SCCM is built first and foremost for Windows systems and therefore its functionality and updates are focused around Windows. Non-Windows systems including Mac and Linux can be managed through SCCM as end-clients, however the process is kludge as SCCM still requires a Windows server to run and the functionality for non-Windows systems is reduced. For mixed-OS environments, manual elements of patching remain even with SCCM installed, a major downside for companies that are already paying a large sum for SCCM.

Limited Ability to Patch 3rd Party Applications: While SCCM adds more support for 3rd party applications than WSUS, the ability for SCCM to patch 3rd party applications is very limited and the source of much frustration among IT Managers. On Microsoft’s SCCM feedback page, improvements to 3rd party patching are the top request. Which is no surprise, considering that 3rd party software accounts for up to 76% of vulnerabilities on the average PC1, the difficulty of configuring SCCM to patch 3rd party applications automatically can put your infrastructure at risk.

Alternatives to SCCM

SCCM is a viable solution only for enterprises that can both afford it and have a Windows only infrastructure. However, with mixed operating systems becoming the norm, SCCM is less valuable in terms of patching capabilities and efficiency.

Modern cloud based patching solutions, like Automox, are more cost effective and robust than SCCM. These solutions offer patching across operating systems including Windows, Mac, and Linux, as well as native 3rd party software deployment and patching, all from a single dashboard. To learn more about Automox’s single source of truth for patching, drop us a note or to check us out for yourself, sign up for our 15 day free trial.


1 https://www.csoonline.com/article/2226451/microsoft-subnet/third-party-software–not-microsoft-s–blamed-for-76–of-vulnerabilities-on-average.html
Holly Hamann, CMO

Author Holly Hamann, CMO

Holly Hamann serves as Automox's Chief Marketing Officer and is an entrepreneur and start-up veteran. She has helped launch six tech companies in the social media, content, video, and marketing software industries and specializes in SaaS software marketing, content marketing, and influencer marketing. She is an American Marketing Association "Marketer of the Year" recipient and holds a Bachelor's Degree in Mathematics and Computer Science.

More posts by Holly Hamann, CMO